When applying for a secure certificate you will need to generate a certificate signing request (CSR). If you are renewing an existing certificate you might want to keep your existing private key, if it’s a new certificate then you will probably need to create a new private key.

If you have previously registered a secure cert and nothing has changed since then, you can even re-use the existing CSR. The most important part of a CSR is the embedded public key, which must correspond to your private key, hence why it only really needs to change if you have changed private key.

What is in a Certificate Signing Request?
A CSR can contain the following information:

• Domain name (or person’s name)
• Address details
• E-mail address
• Public Key

When you send the CSR to a CA (certificate authority), they will use the information embedded within it to create you a full certificate, which has been signed by them. Some CAs will let you change the address information before generating the certificate.

You can decode a CSR with the following command:

openssl req -in old/secure.domain.com.csr -text -noout
Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=GB, ST=Hampshire, L=Aldershot, O=Fubra Ltd,
CN=secure.domain.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:c7:2b:e8:ad:c7:2a:da:f7:0f:e5:7d:23:f5:91:
                   49:a5:1d:ee:df:03:33:af:b5:ad:0b:dd:3e:af:e0:
                   95:67:b8:39:fb:2b:0e:c4:2b:37:d7:aa:f7:79:f8:
                   07:23:41:87:e8:72:88:8e:4b:c5:e6:cc:51:7b:9a:
                   9f:87:db:52:f8:4d:73:b2:79:9a:b9:18:17:fb:f8:
                   22:05:6b:af:25:81:e3:89:e0:ec:be:d1:19:93:bf:
                   06:31:20:01:e3:3d:80:7f:1e:c3:9c:89:4f:33:f1:
                   bd:9a:f6:58:d5:74:51:9a:43:3e:14:f8:ee:8e:8d:
                   7b:43:da:44:33:13:bd:0d:7f
               Exponent: 65537 (0x10001)
       Attributes:
           a0:00
   Signature Algorithm: md5WithRSAEncryption
       50:c7:69:cf:04:53:8b:de:64:dc:ba:e3:ac:3b:93:d1:94:2f:
       48:3b:15:27:c7:e5:1a:65:bc:a4:bd:cb:6a:fe:12:a3:b0:14:
       13:23:ff:3b:15:68:eb:48:c1:63:64:e0:de:8d:ce:34:93:8f:
       41:ef:97:e5:6f:aa:1d:01:db:2e:51:d6:68:8a:d3:f8:f4:70:
       87:17:a2:d1:c8:2d:79:61:22:b6:02:bd:31:50:67:e6:7e:fb:
       23:49:e3:58:61:2e:6b:4b:77:1e:76:3f:d8:2f:8e:44:6e:9e:
       e7:e5:54:f7:a7:90:a7:3c:1e:34:4a:31:22:72:77:fe:bc:7e:
       53:ce

Generating a new CSR and a new private key
To create a brand new private key and certificate signing request just run:

openssl req -new -nodes -keyout newprivate.key -out server.csr

Generating a new CSR with an existing private key

If you need to generate a certificate signing request from an existing private key, you can do so with the following command:

openssl req -new -key existingprivate.key -out server.csr

Using an existing CSR with an existing private key
You don’t need to run any new commands, just send your existing CSR to the certificate issuer.

If you get a permission denied error when trying to redirect the output of a sudo command then the reason for this is normally because the superuser permissions only apply to the first part of the statement, e.g. the echo command. They do not carry through to the bash redirection.

paul@backups:~$ sudo echo 'test' >> /root/test
-bash: /root/test: Permission denied

One way to get round this is to use the tee command, as follows:

echo 'test' | sudo tee -a /root/test

Note that the -a switch means append to the file if it already exists.

Previously if I had wanted to kill a bulk list of mysql processes I would have done something like:

ps auxww | grep ^mysql | awk '{print $2}' | xarg kill -9

Today I discovered two really handy commands that make listing and killing processes a lot easier, pkill and pgrep.

You can achieve the same result as above with:

pkill -9 -u mysql mysql

This will kill all processes owned by the mysql user that have mysql in their name.

Installing Linux via PXE boot over a network can be a really nice way to do it and it is especially useful, if your client machine doesn’t have a CD / DVD drive. However, it can be a bit tricky to understand how it all works, so this post will hopefully explain what is going on, as well as show you how to set it up.

You will need:

• A DHCP server
• A TFTP server (tftpd-hpa)
• vmlinuz and initrd.img from your distribution of choice
• The PXELINUX.0 boot loader and a suitable config file

Install the TFTP server

Ensure you use the tftpd-hpa package, as PXELINUX requires that the boot server has a TFTP server which supports the “tsize” TFTP option. If you don’t use tftpd-hpa you will most likely see an error such as ‘TFTP server does not support the tsize option’

sudo apt-get install tftpd-hpa tftp-hpa xinetd

Configure xinetd to load TFTP

Create a new file called /etc/xinetd.d/conf/tftp and add the following contents:

service tftp
{
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = root
server          = /usr/sbin/in.tftpd
server_args     = /tftpboot
disable         = no
}

Create the /tftpboot folder, and ensure it is world readable. Then restart xinetd, and then test you can connect using tftp.

Set up the DHCP server

Add the following config to your /etc/dhcpd.conf file:

host pxeinstall {
# specify your client's MAC address
hardware ethernet 00:13:21:1F:F1:82; 
# give it an IP
fixed-address 192.168.0.10;
#If the tftp server is on a different host to the DHCP server, specify its IP.
next-server 192.168.0.2;
# path of the bootloader file, with tftpd-hpa it must be the absolute path
filename "/tftpboot/linux-install/pxelinux.0";
}

Then reboot dhcpd.

Setting up PXELINUX

PXELINUX is a SYSLINUX derivative, for booting Linux off a network server. Essentially, it is used to load a linux kernel of your choice on to your machine. You specify which kernel to load in a config file. You can download the latest pxelinux.0 file from kernel.org. You will need to extract it from the syslinux archive .

You are going to be creating a folder structure that will eventually look like this:

/tftpboot/
/tftpboot/linux-install
/tftpboot/linux-install/pxelinux.0
/tftpboot/linux-install/pxelinux.cfg
/tftpboot/linux-install/pxelinux.cfg/default
/tftpboot/linux-install/distros
/tftpboot/linux-install/distros/ubuntu8.04
/tftpboot/linux-install/distros/ubuntu8.04/linux
/tftpboot/linux-install/distros/ubuntu8.04/initrd.gz
/tftpboot/linux-install/distros/centos5.1
/tftpboot/linux-install/distros/centos5.1/vmlinuz
/tftpboot/linux-install/distros/centos5.1/initrd.img
/tftpboot/linux-install/menu.msg

So, create a linux-install folder inside the /tftpboot folder. Inside this directory you should copy in pxelinux.0 (the PXE network boot loader) and create another folder called pxelinux.cfg. Inside pxelinux.cfg, create a file called default and copy in something like the following code:

pxelinux.cfg/default

Make a folder called pxelinux.cfg inside /tftboot/linux-install and then inside that create a file called default, with the following contents:

PROMPT 1
TIMEOUT 200
DISPLAY menu.msg

DEFAULT linux

LABEL linux
        localboot 0

LABEL centos5.1
        KERNEL distros/centos5.1/vmlinuz
        APPEND initrd=distros/centos5.1/initrd.img ramdisk_size=6454 ip=dhcp

LABEL ubuntu8.04
        KERNEL distros/ubuntu8.04/linux
        APPEND initrd=distros/ubuntu8.04/initrd.gz ramdisk_size=6454 ip=dhcp

What this does is set up a boot prompt where you can choose to load any of the specified labels (kernels). In my example, I have used centos 5.1 and Ubuntu 8.04.

There is a 20 second timeout (200=20 seconds) and after this, it will load the default label.

The options we specify after each label direct the boot loader to the location of the kernel and the initrd files for that particular distro. NB: You must specify the path relative to the PXELINUX.0 file.

We have also specified menu.msg file – this just shows an ASCI menu to let people know what options they have. Unfortunately we could find a way to auto-generate a boot menu, so you need to edit the menu.msg manually every time you change the pxe config.

Linux Kernel and Initial Ram Disk

The only two files that are really needed to begin installing a distribution after PXELINUX loads are the compressed linux kernel and initial ram disk of your choice. You can define these as shown above in the pxelinux config. For ubuntu 8.04 they are called linux and initrd.gz, and can be found in the netboot folder of the ubuntu archive. For centos 5.1 they are called initrd.img and vmlinuz and can be found in the pxeboot images folder on any Centos Mirror. Once you have downloaded whichever ones you want to use, put them into your linux-install folder as shown in the directory structure above.

menu.msg

This is a really simple ASCII file that will be displayed as the boot menu. The one we use is as follows:

0a
                          .-=-.          .--.
              __        .'     '.       /  " )
      _     .'  '.     /   .-.   \     /  .-'0c\0a
     ( \   / .-.  \   /   /   \   \   /  /    0c^0a
      \ `-` /   \  `-'   /     \   `-`  /
       `-.-`     '.____.'       `.____.'
07
                                       _       
  __ _ _ __   __ _  ___ ___  _ __   __| | __ _ 
 / _` | '_ \ / _` |/ __/ _ \| '_ \ / _` |/ _` |
| (_| | | | | (_| | (_| (_) | | | | (_| | (_| |
 \__,_|_| |_|\__,_|\___\___/|_| |_|\__,_|\__,_|


07


Choose one of the following labels in order to boot:
- linux (localboot)
- centos5.1
- ubuntu8.04